The newest version, detected as W32/Backoff.C!tr.spy, is now equipped with a packer, code that maps the image to its original base address before continuing to execute, putting even more roadblocks to the analysis process. The malware hides itself in the user’s Application Data folder but, unlike the previous version, randomly selects a name from a predefined list. The malware is designed to steal credit card numbers off Point of Sale terminals, which could potentially result in millions of stolen cards if a major retailer is hit. Fortinet is one of two security companies able to specifically identify and block this malware today.

On November 3rd, FortiGuard researchers reported an updated version of “Backoff”, dubbed ROM, which performed many of the same functions as its predecessor, but leveraged a slew of new techniques that made the threat more difficult to detect and analyze. This version circumvented security controls by disguising itself as a media player with the file name mplayer.exe and dropping a file in the user’s Application Data folder.

FortiGuard researchers have observed that the malware authors are continuing to modify the threat in order to bypass security detection, and recommend that users maintain updated antivirus software to better protect themselves from this evolving threat.